This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Network_M
Collaborator
‎2018-07-03 05:01 AM

Detect and Prevent difference

In SmartView, when CheckPoint shows Attacks (for example 2 critical attacks), If I click it (let's say it is found by Anti-Virus blade), it shows details and writes only "Action: Detect" and  "not prevented by policy".

Besides, in General Overview tab, it shows general information about detection and prevention (%).

How can I clearly understand them?

Does it mean that blades cannot prevent all type of attacks?

What is the difference between detect and prevent? Does "detect" refers to some kind of protection?

Preview file
36 KB
Preview file
36 KB
6 Replies
Daniel_Taney
Advisor
‎2018-07-03 07:05 AM

If attacks are being logged as "Detect" it is because the Threat Prevention policy has not been set to "Prevent" those particular signatures. Based on the "a1.jpg" screen shot, it looks like your policy is in detect mode. Detect mode will just log + alert you to an event happening, but the Gateway won't actually prevent anything from happening. This mode is good to give you an idea what is going on in your environment. 

However, if you want the Gateway to prevent things, those policies need to be changed over to "Prevent". In R80.10, you can do this by going to Security Policies -> Threat Prevention -> Policy and reviewing the settings. Check Point offers some "out of the box" templates like Strict, Optimized, and Basic to get you started. If you aren't totally familiar with Threat Prevention, one of these templates may be a good place to start. 

R80 CCSA / CCSE
Network_M
Collaborator
‎2018-07-03 09:31 PM
In response to Daniel_Taney

Is it dangerous for my network if it keeps going on in detect mode?

Or should I change it to prevent mode?

I'm not totally familiar with Threat Prevention and I don't know how to exactly turn on prevent mode.

I will check that templates, thanks.

0 Kudos
Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2018-07-07 10:24 PM
In response to Network_M

Yes, Detect is basically a temporary mode until the administrator makes a verdict to completely block the attack or disable a false-positive inspection. Sometimes doing full prevent + adding exceptions for certain internal traffic with "disable" is also acceptable.

The log card has various "go-to" links that let you change the configuration from there. Make sure to install policy to apply the change. 

Compliance Blade will present a list of action items related to Threat Prevention. Some of them advise to switch from "detect-only" mode to "according to the policy".

Network_M
Collaborator
‎2018-07-09 05:49 AM
In response to Tomer_Sole

Which point I can start from?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-13 03:47 AM
In response to Network_M

From one of the default policies as noted above.

For most customers, we recommend using the Optimized profile.

If you're new, you might want to review this TechTalk we did:

TechTalk: Advanced Threat Prevention Best Practices

Diego_Crispin
Explorer
‎2020-02-19 01:58 PM
In response to Tomer_Sole

t detects and validates if it is malicious, if it is not, let it pass and be for malicious it blocked?

does it detect and prevent any action you take with this subscription service?

it inhibits the service, scam tools will no longer be able to view active service?

0 Kudos